I'm happy to announce that we have just published a new article regarding the new function AppScan Standard integrated with Application Security on Cloud.AppScan Standard 9.0.3.5 can integrate with Application Security on Cloud (ASoC). It is now possible to upload scans and templates (SCAN or SCANT files) to Application Security on Cloud to run scans.This article will introduce how to configure and run a scan in AppScan Standard to Application Security on Cloud.

Generally, iOS is claimed to be secure. Each app requires passing Apple’s vetting process before being published to the App Store. Additionally, the iOS framework is strict, for instance not allowing to install unauthorized apps on the device, or perform any modification on the app files. This prevents malicious apps from reaching the iOS environment. However, this doesn’t prevent security vulnerabilities that stem from a valid app’s code. The iOS Analyzer covers this gap, by detecting these issues and supplying the information required to fix them.

Our solution relies on IBM’s innovative Glass Box technology, leveraging it to mobile space. The Mobile Analyzer for iOS (part of the IBM Application Security on Cloud ) installs the application and then performs automatic crawling to simulate the user’s interaction with the app. While the application is active, the Glass Box monitors and logs specific system method calls, which are used to detect security vulnerabilities. Using Glass Box technology brings accurate and detailed results (such as the location of the security issue in the user code).

Running the iOS Analyzer

The first step to using the iOS Analyzer it to generate the IPAX file. The IPAX file contains the user application after it was linked with the proprietary iOS Analyzer library, which allows the iOS Analyzer to monitor the application code during runtime.

To generate the IPAX file, download the IPAX Generator utility from the iOS Analyzer . You can then run the IPAX Generator through the command line, supplying the path to your Xcode project or workspace. The IPAX Generator automatically downloads the latest version of the iOS Analyzer library and will build and package the application with the library linked to it. The resulting IPAX file will contain the built application. It is also strongly encrypted to protect your privacy.

In order to test your application, simply upload the IPAX file to the iOS Analyzer. You may supply some additional information, such as user credentials, if the application requires it.

The iOS Analyzer will then automatically crawl your app, detecting any possible security vulnerabilities. Once the scan is done, a comprehensive report will be generated, which will include details for each vulnerability, such as the description of the security issue, how and where it was found in the app code, and how to fix it.

When hackers attempt to break into a web application, they usually first map it out by following every link to find all the valid paths. Then, they attempt to enter various invalid values in the input fields to see whether the application suffers from any of the well-known code injection vulnerabilities. In this new tutorial by Ori Pomerantz,, you learn how to detect these attacks. Once you detect them, you can shut down access from the attacking IP address, redirecting it into a slow "tar pit," or perform other actions to become a harder target.

Where's your risk?

37% of all security risk begin at the application layer. Software applications support the most sensitive and strategically important business processes of most enterprises. Yet Application Security is one of the most neglected fields of security. That puts pressure on every team in the organization—from developers, IT, and up to the CISO. Security is no longer an IT issue, it's a business issue and developers are at the forefront.

Learn what you can do to find application vulnerabilities

David Marshak, Jason Todd, and Kris Duer from IBM Security's AppScan team, Lead Analytics Developer AppScan, IBM Security will be leading a webinar of ,moving your Static Application Security Testing to the cloud and using advanced analytics to help find risks in your applications. Here's how they describe the webinar:

"In this session we will introduce IBM Static Analyzer (now in beta) and show how it greatly simplifies static analysis (or white box) security scanning. We will discuss and demonstrate how it can easily integrate into the development lifecycle, as well as how it uses advanced analytics to produce targeted/actionable results to enable you to remediate security vulnerabilities."

Register now!

This webinar will be held on Thu, Aug 13, 2015 from 12:00 PM - 1:00 PM EDT

Securing applications – whether on the Web, on mobile, or on desktop – is more important than ever. But many developers aren’t experts in security, and most existing security testing tools aren’t made for non-experts to use. IBM Security is lowering the barriers to application security testing with its new cloud-based security analysis services.

One of those services, IBM Static Analyzer, provides a simple way to scan your application code for security vulnerabilities and is now available as a free beta on IBM Bluemix.

Static Application Security Testing

Static Application Security Testing, or SAST, refers to security testing that is performed without actually executing the target application. Instead, the application’s source code or binaries are analyzed to look for potential vulnerabilities, such as the use of unsafe APIs or failure to properly validate untrusted data. Static analysis is a powerful testing technique because it directly identifies the underlying causes of vulnerabilities, without actually having to exploit them in the running application. IBM recommends combining SAST with Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST), to maximize the effectiveness of your testing. This blog focuses solely on SAST.

Making SAST simple

Traditionally, SAST has largely been the domain of security experts, and static analysis tools have reflected that reality. Static Analyzer marks a new approach to SAST, with a focus on making things easy.

Because Static Analyzer runs on the cloud, there’s no need for dedicated hardware and no complicated installation or configuration. Static Analyzer also simplifies the entire application testing process, from preparing the application for analysis to understanding and evaluating your results. Static Analyzer is designed to get out of the way, fitting in with the development tools you already use, and to present you with only the most relevant, actionable results.

One significant challenge with traditional SAST tools is the volume of results they produce. Many of the “issues” they find don’t actually represent exploitable vulnerabilities when the application is running in the real world. It takes time, security expertise, and knowledge of the application to figure out which of those issues need fixing, and which simply represent false positives. Static Analyzer includes a new technology called Intelligent Finding Analytics, or IFA, which combs through the results and applies machine learning to identify the findings that are most likely to represent real, actionable security issues, delivering only these most valuable results directly to developers.

Prepare, test, fix

Using Static Analyzer to secure an application involves three simple steps: Prepare, test, and fix.

To prepare your application for analysis, you need to create an intermediate representation of it, which we call an IRX file. This representation is neither the full source nor binary form of the application, but contains the information about method calls and data flow that’s required by the analysis engine to perform SAST in the cloud. It is also strongly encrypted to protect your application.

To create an IRX file, you’ll use the Static Analyzer Client Utility, which you can download the first time you use the Static Analyzer service. This lightweight utility integrates into your Maven build, Eclipse workspace, or other environments (via a command-line tool) to prepare Java applications for analysis. It automatically discovers built artifacts and creates the IRX with minimal configuration – often none at all.

Testing is as simple as dragging and dropping the IRX file into the Static Analyzer Web interface to begin the analysis. When the analysis is complete, a report is generated, listing all of the actionable issues that are discovered.

For each issue, the report includes a trace showing the vulnerable path through the application and describes the nature of the vulnerability and how to fix it. It even groups together related issues with a common fix, and suggests where that fix should go.

All of this information makes it easier for developers to understand and fix the issues identified in their applications.

Try Static Analyzer beta today

Static Analyzer is available now as a free beta on Bluemix. Currently, it supports scanning Java applications, and the Client Utility runs on Windows and Linux, with additional language and platform support to come. You can see Static Analyzer in action, and try scanning your applications for free at ibm.biz/staticanalyzer.

Strengthen application protection from design to deployment

This paper looks at how an effective application security program can help organizations protect their priceless digital assets in the cloud. It also describes how a secure-by-design approach to application security can reduce overall risk across the IT infrastructure.

Strengthen application protection from design to deployment

This paper looks at how an effective application security program can help organizations protect their priceless digital assets in the cloud. It also describes how a secure-by-design approach to application security can reduce overall risk across the IT infrastructure.

I'm happy to announce that we have just published a new how-to guide from Ori Pomerantz on how to get the most out of IBM AppScan Source. This new how-to guide is specifically targeted to the individual developer that wants to get the most out of his source code scanning efforts.

Guang Dong Li, Cheng-Yu Yu, and Jia Li Chen have just published "Introduction to action-based login in IBM Security AppScan Standard 9.0" on the security on dW community. This is an important white paper for anyone designing AppScan scans. Abstract: Action-based login is an important enhancement in AppScan Standard 9.0. It records users' actual operations in browser such as filling out fields, clicking, and so on. The recorded operations will be used to perform a login when scanning an application. In this article, you can learn about the advantages of action-based login and how to use this feature in AppScan Standard 9.0

Today's modern web applications are more than a match for most desktop PC applications and continue to push boundaries by taking advantage of limitless cloud services. But more powerful web applications means more complicated code, and the more complicated the code, the greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious actors, bent on profiteering from data theft, or gaining online notoriety by causing mischief. This article looks at securing web applications by adopting industry best application development practices, such as the OWASP Top 10 and using web application vulnerability scanning tools, like IBM Rational® AppScan®.

You might also be interested in:

IBM Security AppScan is a leading application security testing suite designed to help manage vulnerability testing throughout the software development lifecycle. IBM Security AppScan automates vulnerability assessments and scans and tests for all common web app vulnerabilities, including SQL injection, cross-site scripting, buffer overflow, and new flash/flex app and Web 2.0 exposure scans.

AppScan provides full coverage of the OWASP Top 10 for 2013. Our solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

IBM has published a video demo of AppScan Enterprise in action, managing a large inventory of web applications from a central reporting and management dashboard. This video follows John, an IT security team lead, as he builds a consolidated inventory of application assets in AppScan Enterprise 9.0 to improve his organization's application security protection. First, John creates attributes that describe the applications, then he imports a list of existing applications and creates new ones. Lastly, he associates existing AppScan Source and AppScan Standard scans to his new applications and creates new scans, as he discovers areas that lack proper scanning coverage.

This video will inspire you to do a better job managing your application security scanning.

You might also be interested in.....

Appscan provides full coverage of the OWASP Top 10 for 2013. This solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

You know you need to get a better handle on managing the security of your public facing web apps. But what does that mean exactly, how do you elevate your day to day activities that to something that doesn't resemble a chicken running around with it's head cut off? IBM Security Systems has a demo video that will help you think about what web app security management _should_ look like.

IBM® Security AppScan® is a leading application security testing suite designed to help manage vulnerability testing throughout the software development life cycle. IBM Security AppScan automates vulnerability assessments and scans and tests for all common Web application vulnerabilities including SQL-injection, cross-site scripting, buffer overflow, and new flash/flex application and Web 2.0 exposure scans.

Appscan provides full coverage of the OWASP Top 10 for 2013. Our solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

Paul Ionescu is one of IBM's secure engineering experts and he has published a tutorial article on the anatomy of a cross-site request forgery attack and two strategies for eliminating these vulnerabilities from your applications.